A “persistent attacker group” with supposed connections to Hezbollah has retooled its malware arsenal with a new version of a remote access Trojan (RAT) to break into organizations worldwide and extract significant data. In another report published by the ClearSky research group on Thursday, the Israeli cybersecurity firm said it recognized at least 250 public-facing web servers since early 2020 that have been hacked by the threat actors to gather intelligence and take the organization’s databases. The coordinated intrusions hit a ton of organizations situated in the U.S., the U.K., Egypt, Jordan, Lebanon, Saudi Arabia, Israel, and the Palestinian Authority, with a majority of the victims representing telecom operators (Etisalat, Mobily, Vodafone Egypt), internet service providers (SaudiNet, TE Data), and facilitating and infrastructure service providers (Secured Servers LLC, iomart).
First documented in 2015, Volatile Cedar (or Lebanese Cedar) has been known to infiltrate an enormous number of targets utilizing different assault procedures, including a custom-made malware implant codenamed Explosive. Lebanese Cedar has been recently associated with Lebanese roots — explicitly Hezbollah’s cyber unit — regarding a cyber espionage campaign in 2015 that focused on military providers, telecom organizations, media outlets, and universities.
The Lebanese Cedar hackers utilized open-source hacking tools to check the web for unpatched Atlassian and Oracle servers, at that point they utilized exploits to access the server and send a web shell to acquire traction in the target system.
The assailants utilized basic 1-day vulnerabilities dependent on the vulnerable versions of the services in the undermined servers. Utilizing the three flaws in the servers (CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152) as an attack vector to acquire underlying traction, the assailants at that point infused a web shell and a JSP file browser, the two of which were utilized to move laterally across the network, fetch additional malware, and download the Explosive RAT, which accompanies abilities to record keystrokes, capture screenshots, and executes arbitrary commands.
ClearSky noticed that the group’s utilization of web shell as its essential hacking tool might have been instrumental in driving researchers to a “dead-end in terms of attribution.” “Lebanese Cedar has shifted its focus significantly. Initially, they attacked computers as an initial point of access, then progressed to the victim’s network then further progressing to targeting vulnerable, public-facing web servers,” the researchers said.
Related